blackmoon | 145429da99f3119c36ac1ca6ff92e45dbb359fa5bb6193caea8a5e0950bca4be

Analysis

max time kernel
118s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
12-07-2023 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

145429da99f3119c36ac1ca6ff92e45dbb359fa5bb6193caea8a5e0950bca4be.exe
Size

878KB
MD5

e15f7d7aa38489dcf766f2e4376d7a33
SHA1

7b1523b62898a668cb1a956399f5217ddd8d375f
SHA256

145429da99f3119c36ac1ca6ff92e45dbb359fa5bb6193caea8a5e0950bca4be
SHA512

d999e84dc49baa4d74db193f045fd3efc0c66263c3406706129f0750319b0d532ebf70c01e94c598f26211ffb089d6d0c03ef9351995e3886cd2ca7094882fa6
SSDEEP

6144:XHO77yUweZuvt7DggWqgNUPfKAm0egVMUiEFxx2GTzwooYeRHTr1NGR:3ZtvlrzegVMU9xU2zwoWRHTr1NGR

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2472-54-0x0000000000400000-0x00000000005E8000-memory.dmp	family_blackmoon
behavioral1/memory/2472-59-0x0000000000400000-0x00000000005E8000-memory.dmp	family_blackmoon
behavioral1/memory/2472-61-0x00000000005F0000-0x0000000000628000-memory.dmp	family_blackmoon
behavioral1/memory/2472-64-0x00000000005F0000-0x0000000000628000-memory.dmp	family_blackmoon

Loads dropped DLL 3 IoCs

Processes:

145429da99f3119c36ac1ca6ff92e45dbb359fa5bb6193caea8a5e0950bca4be.exeWerFault.exe

pid process

2472 145429da99f3119c36ac1ca6ff92e45dbb359fa5bb6193caea8a5e0950bca4be.exe
1304 WerFault.exe
1304 WerFault.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1304 2472 WerFault.exe 145429da99f3119c36ac1ca6ff92e45dbb359fa5bb6193caea8a5e0950bca4be.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

145429da99f3119c36ac1ca6ff92e45dbb359fa5bb6193caea8a5e0950bca4be.exe

pid process

2472 145429da99f3119c36ac1ca6ff92e45dbb359fa5bb6193caea8a5e0950bca4be.exe

pid	process
2472	145429da99f3119c36ac1ca6ff92e45dbb359fa5bb6193caea8a5e0950bca4be.exe
1304	WerFault.exe
1304	WerFault.exe

pid	pid_target	process	target process
1304	2472	WerFault.exe	145429da99f3119c36ac1ca6ff92e45dbb359fa5bb6193caea8a5e0950bca4be.exe

pid	process
2472	145429da99f3119c36ac1ca6ff92e45dbb359fa5bb6193caea8a5e0950bca4be.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

145429da99f3119c36ac1ca6ff92e45dbb359fa5bb6193caea8a5e0950bca4be.exe

description	pid	process	target process
PID 2472 wrote to memory of 1304	2472	145429da99f3119c36ac1ca6ff92e45dbb359fa5bb6193caea8a5e0950bca4be.exe	WerFault.exe
PID 2472 wrote to memory of 1304	2472	145429da99f3119c36ac1ca6ff92e45dbb359fa5bb6193caea8a5e0950bca4be.exe	WerFault.exe
PID 2472 wrote to memory of 1304	2472	145429da99f3119c36ac1ca6ff92e45dbb359fa5bb6193caea8a5e0950bca4be.exe	WerFault.exe
PID 2472 wrote to memory of 1304	2472	145429da99f3119c36ac1ca6ff92e45dbb359fa5bb6193caea8a5e0950bca4be.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\145429da99f3119c36ac1ca6ff92e45dbb359fa5bb6193caea8a5e0950bca4be.exe
"C:\Users\Admin\AppData\Local\Temp\145429da99f3119c36ac1ca6ff92e45dbb359fa5bb6193caea8a5e0950bca4be.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 244
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:1304

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Public\Documents\gjttn.dll

Filesize
2KB

MD5
7943effe67a4647e06def2348949020e

SHA1
eabd561f0639a975de259633f63896d82c3f878d

SHA256
3fac47db92d581b2daef7a4f9493be2fe441041e5158101d80873d05808d5cfa

SHA512
c9db1962e7457c94426c2a5c7f439736697d4399db6982c45357459d58805daa4a9d297912135488b6990e265ffa59d687fd5ba43717aab46ccc212083ef5003

Download Submit
\Users\Public\Documents\gjttn.dll

Filesize
2KB

MD5
7943effe67a4647e06def2348949020e

SHA1
eabd561f0639a975de259633f63896d82c3f878d

SHA256
3fac47db92d581b2daef7a4f9493be2fe441041e5158101d80873d05808d5cfa

SHA512
c9db1962e7457c94426c2a5c7f439736697d4399db6982c45357459d58805daa4a9d297912135488b6990e265ffa59d687fd5ba43717aab46ccc212083ef5003

Download Submit
\Users\Public\Documents\gjttn.dll

Filesize
2KB

MD5
7943effe67a4647e06def2348949020e

SHA1
eabd561f0639a975de259633f63896d82c3f878d

SHA256
3fac47db92d581b2daef7a4f9493be2fe441041e5158101d80873d05808d5cfa

SHA512
c9db1962e7457c94426c2a5c7f439736697d4399db6982c45357459d58805daa4a9d297912135488b6990e265ffa59d687fd5ba43717aab46ccc212083ef5003

Download Submit
memory/2472-54-0x0000000000400000-0x00000000005E8000-memory.dmp

Filesize
1.9MB

Download
memory/2472-59-0x0000000000400000-0x00000000005E8000-memory.dmp

Filesize
1.9MB

Download
memory/2472-60-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2472-61-0x00000000005F0000-0x0000000000628000-memory.dmp

Filesize
224KB

Download
memory/2472-64-0x00000000005F0000-0x0000000000628000-memory.dmp

Filesize
224KB

Download